Man in the Middle (MITM) Attack | Consultants Factory

A MITM attack takes place when a communication between two systems is intercepted by an outside entity and it usually happens in any form of online communication such as, email, social media, web surfing etc. In this common type of security attack, the hackers try to eavesdrop on an individual’s private conversation and also target all the information inside his device.

Practical Example:

Raj is a hacker who takes his laptop to a nearby coffee shop where free Wi-Fi is provided to its customers. Knowing that a lot of people visits the café with laptops, he lays his trap by setting up his own Wi-Fi hotspot with an ambiguous name hoping to trick people into using it. His hotspot proxies traffic through to the internet but he also sets up a network sniffer to inspect any traffic as it passes through.

Shila is a customer who visits the café to grab a cup of coffee. She connects to likely looking hotspot not knowing that Raj is watching her every move. Shila is perfectly safe when she visits sites that implement https as everything except the domain of the site is encrypted in http packets. However, anytime Shila visits a site that does not use encryption, Raj can see the conversation and he starts recording unsecured credentials and other sensitive information. By the time Raj has finished his coffee he has a whole file of hacked data. He disconnects his hotspot and leaves the café.

This is one of the few scenarios which tries highlighting the ways through which MITM attack is launched. But these might be avoided being extremely careful.

Signs to spot MITM Attacks:

1) Unexpected and/or repeated disconnections:

Attackers forcefully disconnect users so they can block the username and password when the user attempts to reconnect. By monitoring for unexpected or repeated disconnections, you can figure out this potentially risky behavior proactively.

2) Strange addresses in your browser address bar:

If anything in the address looks odd, even by a little, check that twice. It could be a DNS hijack. For example, you see https:\\www.go0gle.com instead of https:\\www.google.com

3) You log into a public and/or unsecured Wi-Fi:

You should be very careful of what networks you connect to, and avoid public Wi-Fi if possible. Attackers create fake networks with known IDs like “local free wireless” or some other common name to deceive people into connecting. If you connect to the attacker’s Wi-Fi, they can easily trace everything you communicate on the network.

Prevention:

A good cybersecurity hygiene helps to prevent MITM attacks.

1. Most common type of security measure that every computer uses is a Firewall. A Firewall is a software or firmware that enforces a set of rules about what data packet will be allowed to enter or leave a network. Firewalls are incorporated into a wide variety of network devices to filter traffic and lower the risk of malicious packets travelling over the public internet impacting the security of a private network.

2. Always use trusted networks and devices to log in to sensitive websites.

3. Avoid connecting to a Wi-Fi that is open(unencrypted).

4. In case you have to use a public computer, check its browser for the presence of any rogue certificate and ensure that there aren’t any. Check the hosts’ file too.

5. Transport Layer Security (TLS) is a cryptographic protocol that allows applications to communicate across the network in a way designed to prevent eavesdropping and tampering. You shall ensure that any sensitive communication is done over https which makes use of the TLS protocol.

6. Add a VPN to encrypt traffic between end-points and the VPN server (either on the enterprise network or on the internet). If traffic is encrypted, it’s harder for a MITM to steal or modify it.

7. Use end-to-end encryption for your emails, chat, and video communication (Zoom, Teams, etc.)

8. Keep your system patched and malware updated

9. Use a password manager to protect your passwords and prevent reuse of passwords

10. Only connect to HTTPS connections.

11. Use multi-factor authentication wherever available.

12. Follow the zero-trust principles to build internal barriers around access to data.

13. Monitor activity on the network to detect evidence (malicious network connections or abnormal user behavior, for example) of a compromise or MITM techniques in use.